- 论坛徽章:
- 0
|
先交代一下网络环境;公司用两套局域网,光纤接入路由器,从路由器出来的是192.168.10.X网段,作为对外服务外网,部署了www/ftp/mail等服务器;192.168.10.2 是外网的一台主机,内部局域网192.168.0.X网段,通过10.2这台机器上网;哈哈,不知道说清楚了没有,比较少见吧。
(1)安装 Debian 基本系统(5.0.1)
(2)链接网络,配置网卡
firewall:/# vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0 eth1
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.10.1
iface eth1 inet static
address 192.168.0.254
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
(3)配置DNS,是本机可上网
firewall:/# vi /etc/resolv.conf
nameserver 202.99.166.4
(4)测试是否能上网
firewall:/# wget
http://www.sohu.com/
--2009-05-06 10:39:57--
http://www.sohu.com/
正在解析主机
www.sohu.com
... 61.135.133.38, 61.135.133.88, 61.135.133.89, ...
Connecting to
www.sohu.com|61.135.133.38|:80
... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:227936 (223K) [text/html]
Saving to: `index.html'
100%[====================================================================================>] 227,936 45.5K/s in 4.9s
2009-05-06 10:40:02 (45.7 KB/s) - `index.html' saved [227936/227936]
(5)配置apt的镜像站点(我这里使用的是韩国的
http://ftp.kr.debian.org/
当时cn99上好像没有5.0.1版本)
firewall:/# vi /etc/apt/sources.list
#
# deb cdrom:[Debian GNU/Linux 5.0.1 _Lenny_ - Official i386 CD Binary-1 20090413-00:10]/ lenny main
# deb cdrom:[Debian GNU/Linux 5.0.1 _Lenny_ - Official i386 CD Binary-1 20090413-00:10]/ lenny main
deb
http://ftp.kr.debian.org/debian/
stable main
deb-src
http://ftp.kr.debian.org/debian/
stable main
(6)更新apt列表(根据网速,时间不等,我大概用2个多小时)
firewall:/# apt-get update
(7)安装 SSH (安装后,将自动启动 SSH,并自动加入到 rc2.d 链接,自动启动)
firewall:/# apt-get install openssh-server
启动,停止 SSH 的命令脚本(注意,必须使用绝对路径,或在 /etc/init.d 目录下执行)
firewall:/# ./etc/init.d/ssh
Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}.
(8)安装 squid3
firewall:/# apt-get install squid3
启动,停止 squid3 的命令脚本
firewall:/# ./etc/init.d/squid3
Usage: /etc/init.d/squid3 {start|stop|reload|force-reload|restart}
安装后,先修改 squid3 配置文件
firewall:/# vi /etc/squid3/squid.conf
# squid3 config
#
http_port 3128 transparent
reply_header_max_size 100 KB
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 98
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF
strip_query_terms off
emulate_httpd_log on
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
#access_log none
access_log /var/log/squid3/access.log combined
cache_log /var/log/squid3/cache.log
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Purge method PURGE
acl CONNECT method CONNECT
acl myip src 192.168.0.16/32
http_access allow myip
http_access allow manager localhost
http_access allow Purge localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
http_access deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
cache_replacement_policy heap GDSF
error_directory /usr/share/squid3/errors/Simplify_Chinese
cache_dir ufs /var/spool/squid3 18432 32 256
coredump_dir /var/spool/squid3
cache_store_log none
visible_hostname squidtest
执行 firewall:/# squid3 -z 创建缓存目录,创建前先查看是否存放缓存目录
我这里用的 /var/spool/squid3 ,如果不存在用下面命令创建,并修改权限
firewall:/# mkdir -p /var/spool/squid3
firewall:/# chmod -R 777 /var/spool/squid3/
最后启动 squid ,可以用 netstat -ltn 来查看是否已启动
firewall:/# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
(9)编辑 firewall 和 flowctrl 两个脚本文件,分别用于NAT和流量控制
firewall:/# vi /etc/init.d/firewall
firewall:/# vi /etc/init.d/flowctrl
设置可执行属性
firewall:/# chmod +x /etc/init.d/firewall
firewall:/# chmod +x /etc/init.d/flowctrl
创建自动启动链接
firewall:/# ln -s /etc/init.d/firewall /etc/rc2.d/S50firewall
firewall:/# ln -s /etc/init.d/flowctrl /etc/rc2.d/S51flowctrl
防火墙脚本,局域网NAT上网,squid透明代理,IP地址MAC地址管理
#!/bin/sh
echo "Starting firewall script."
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
# ip & mac
# iptables -A FORWARD -s 192.168.0.5 -m mac --mac-source 00:17:31:98:a2:2a -j ACCEPT
# gong cheng bu
iptables -A FORWARD -s 192.168.0.16 -m mac --mac-source 00:24:8c:03:bf:69 -j ACCEPT
iptables -A FORWARD -s 192.168.0.18 -m mac --mac-source 00:0a:eb:1f:6e:bf -j ACCEPT
# kai fa bu
iptables -A FORWARD -s 192.168.0.21 -m mac --mac-source 00:23:54:f5:88:1a -j ACCEPT
iptables -A FORWARD -s 192.168.0.22 -m mac --mac-source 00:23:54:f5:88:6a -j ACCEPT
iptables -A FORWARD -s 192.168.0.25 -m mac --mac-source 00:0a:eb:1f:91:c2 -j ACCEPT
iptables -A FORWARD -s 192.168.0.27 -m mac --mac-source 00:03:0d:6d:d2:4d -j ACCEPT
iptables -A FORWARD -s 192.168.0.29 -m mac --mac-source 00:16:17:16:6a:aa -j ACCEPT
iptables -A FORWARD -s 192.168.0.32 -m mac --mac-source 00:23:54:f5:88:53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.34 -m mac --mac-source 00:0a:eb:22:66:59 -j ACCEPT
iptables -A FORWARD -s 192.168.0.35 -m mac --mac-source 00:0a:eb:1f:91:78 -j ACCEPT
iptables -A FORWARD -s 192.168.0.39 -m mac --mac-source 00:23:54:f5:84:23 -j ACCEPT
iptables -A FORWARD -s 192.168.0.41 -m mac --mac-source 00:0a:eb:51:09:37 -j ACCEPT
....(其他需要上网的ip和mac地址)
iptables -A FORWARD -s 192.168.0.0/24 -j DROP
echo "Firewall script load ok"
流量控制脚本,给局域网的每个IP限速,采用的最简单和傻瓜的方式
#!/bin/sh
#
echo "Load TC script ..."
tc qdisc del dev eth1 root 2>/dev/null
tc qdisc add dev eth1 root handle 10: htb default 255
tc class add dev eth1 parent 10: classid 10:1 htb rate 12500kbps ceil 12500kbps
# speed
SPEED1=250kbps
SPEED2=250kbps
SPEED3=500kbps
SPEED4=64kbps
SPEED5=32kbps
tc class add dev eth1 parent 10:1 classid 101 htb rate $SPEED1 ceil $SPEED1 prio 1
tc class add dev eth1 parent 10:1 classid 102 htb rate $SPEED2 ceil $SPEED2 prio 2
tc class add dev eth1 parent 10:1 classid 103 htb rate $SPEED3 ceil $SPEED3 prio 3
tc class add dev eth1 parent 10:1 classid 104 htb rate $SPEED4 ceil $SPEED4 prio 4
tc class add dev eth1 parent 10:1 classid 105 htb rate $SPEED5 ceil $SPEED5 prio 5
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.2/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.3/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.4/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.5/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.6/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.7/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.8/32 classid 10:101
.....(自己重复吧,方法傻点,实用)
echo "OK"
(10)安装 bandwidthd 进行流程检测,同时需要一个http服务器支持,我用的 mini-httpd
firewall:/# apt-get install bandwidthd
firewall:/# apt-get install mini-httpd
先配置 bandwidthd
firewall:/# vi /etc/bandwidthd/bandwidthd.conf
####################################################
# Bandwidthd.conf
#
# Commented out options are here to provide
# documentation and represent defaults
# Subnets to collect statistics on. Traffic that
# matches none of these subnets will be ignored.
# Syntax is either IP Subnet Mask or CIDR
#subnet 192.168.0.0/24
subnet 192.168.0.0/24
# subnet 192.168.10.0/24
# Device to listen on
# Bandwidthd listens on the first device it detects
# by default. Run "bandwidthd -l" for a list of
# devices.
#dev "eth0"
dev "eth1"
###################################################
# Options that don't usually get changed
# An interval is 2.5 minutes, this is how many
# intervals to skip before doing a graphing run
#skip_intervals 0
# Graph cutoff is how many k must be transfered by an
# ip before we bother to graph it
graph_cutoff 1024
#Put interface in promiscuous mode to score to traffic
#that may not be routing through the host machine.
promiscuous true
#Log data to cdf file htdocs/log.cdf
#output_cdf false
output_cdf true
#Set the cdf log output directory
#log_dir "/var/lib/bandwidthd"
#Read back the cdf file on startup
recover_cdf true
#Libpcap format filter string used to control what bandwidthd see's
#Please always include "ip" in the string to avoid strange problems
filter "ip"
#Draw Graphs - This default to true to graph the traffic bandwidthd is recording
#Usually set this to false if you only want cdf output or
#you are using the database output option. Bandwidthd will use very little
#ram and cpu if this is set to false.
#graph true
#Set META REFRESH for static pages in seconds(default 150, use 0 to disable).
#meta_refresh 150
meta_refresh 150
#Set the static html output directory
htdocs_dir "/var/lib/bandwidthd/htdocs"
注意:我的 htdocs 目录是:/var/lib/bandwidthd/htdocs ,因此需要配置 httpd 的文档目录
firewall:/# vi /etc/mini-httpd.conf
# Example config for mini_httpd.
# Author: Marvin Stark
# Uncomment this line for turning on ssl support.
#ssl
# On which host mini_httpd should bind?
host=0.0.0.0
# On which port mini_httpd should listen?
port=80
# Which user mini_httpd should use?
user=root
# Run in chroot mode?
chroot # yes
# nochroot # no
# Working directory of mini_httpd.
#dir=
# We are the web files stored?
# Please change this to your needs.
data_dir=/var/lib/bandwidthd/htdocs/
# Which certificate to use?
#certfile=
# Which logfile to use?
logfile=/var/log/mini-httpd.log
# Which pidfile to use?
pidfile=/var/run/mini-httpd.pid
# Which charset to use?
charset=iso-8859-1
在启动 httpd 之前,会提示你修改配置 /etc/default/mini-httpd 将 START=0 改为 1
firewall:/# vi /etc/default/mini-httpd
# Defaults for mini_httpd initscript
# Author: Marvin Stark
# Start daemon?
# 0 = no
# 1 = yes
START=1
# Additional options that are passed to the Daemon.
DAEMON_OPTS="-C /etc/mini-httpd.conf"
最后,启动 mini-httpd 和 bandwidthd 脚本文件在 init.d目录下
firewall:/# ./etc/init.d/bandwidthd
Usage: /etc/init.d/bandwidthd {start|stop|restart|rotate|force-reload}
firewall:/# ./etc/init.d/mini-httpd
Usage: /etc/init.d/mini-httpd {start|stop|restart|force-reload}
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/45779/showart_1919517.html |
|
免费注册
发表于 2009-05-06 11:30